Are your tickets on the ssh client forwardable? They need to be for the
GSSAPIDelegateCredentials yes to work.
Holger Rauch wrote:
Hi to everybody,
The problem I got is that interactive kinit/aklog combos work
perfectly, but when I try to log in remotely via ssh, the passwordless
login itself works, but a cd to my home dir doesn't occur because
pam_afs_session.so is either not considered or doesn't call aklog. The
exact error messages read as follows:
Could not chdir to home directory /export/home/people/hrauch: Permission denied
-bash: /export/home/people/hrauch/.bash_profile: Permission denied
As it is now, I have to manully invoke kinit && aklog in order to be
able to successfully cd to my home dir. That's exactly what I wanted
to avoid.
I googled but found only the hint that one needs to include
pam_afs_session.so in the PAM session config, which I did.
The above implies that LDAP setup (used for POSIX account info)
and MIT Kerberos setup (for password maintenance) are configured correctly.
SSH is setup to forward Kerberos tickets by using these options in
/etc/ssh/ssh_config on the client:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
This happens on a Debian Lenny system with openafs packages installed
from backports.org in order to circumvent some kind of memory
allocation error preventing the openafs kernel module from being loaded.
Here's the list of installed openafs packages obtained via dpkg -l:
===
ii libpam-afs-session 1.7-1 PAM module
to set up a PAG and obtain AFS tokens
ii openafs-client 1.4.11+dfsg-5~bpo50+1 AFS
distributed filesystem client support
ii openafs-krb5 1.4.11+dfsg-5~bpo50+1 AFS
distributed filesystem Kerberos 5 integration
ii openafs-modules-dkms 1.4.11+dfsg-5~bpo50+1 AFS
distributed filesystem kernel module DKMS source
ii openafs-modules-source 1.4.11+dfsg-5~bpo50+1 AFS
distributed filesystem kernel module source
===
My PAM config (I have a few "fallback" system accounts too, that's why
pam_unix.so is mentioned):
- /etc/pam.d/common-account
===
account sufficient pam_unix.so
account required pam_ldap.so minimum_uid=10000 debug
account required pam_krb5.so minimum_uid=10000 ignore_root debug
===
- /etc/pam.d/common-auth
===
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_krb5.so use_first_pass minimum_uid=10000
ignore_root debug
auth optional pam_afs_session.so program=/usr/bin/aklog
auth required pam_deny.so
===
- /etc/pam.d/common-password
===
password sufficient pam_unix.so nullok obscure md5
password required pam_krb5.so use_first_pass minimum_uid=10000
ignore_root debug
===
- /etc/pam.d/common-session (I verified the path to aklog)
===
session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.so minimum_uid=10000 ignore_root debug
session optional pam_afs_session.so program=/usr/bin/aklog debug
===
Anything wrong with my PAM config?
/var/log/auth.log tells me:
===
Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): hrauch: unable to get
PAM_KRB5CCNAME, assuming non-Kerberos login
Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): none: pam_sm_setcred:
exit (failure)
Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
pam_sm_open_session: entry (0x0)
Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): skipping tokens,
no Kerberos ticket cache
Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
pam_sm_open_session: exit (success)
===
Now, the obvious question is: How can I tell sshd or pam_krb5.so about
the ticket cache file?
Thanks in advance for any help!
Kind regards,
Holger
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
